This Article Applies From:
DeMeter2.15.2 |
Introduction
This article will guide you through DeMeter customisation for securing access to RavenDB.
1 - Pre- requisites
1.1 - Who is this article intended for
If you are unsure about the procedure, please reach out to your Desoutter contact or the Remote Software Support Team.
1.2 - Suggested readings before diving-in
We advise you to read through the following articles before reading through the rest of the article:
- DeMeter installation procedure .
- Procedure to install a RavenDB license.
- Procedure to secure DeMeter access with a certificate.
1.3 - Certificate and Network requirements
RavenDB uses X.509 certificate based authentication. Since the certificate must comply with your IT Infrastructure, obtaining such a certificate remains within the scope of your IT Department.
The certificate must:
- Be in a PFX format.
- Implement several specific Extension Types - please see the list below:
Extension Type Value Meaning / Use Case Key Usage DigitalSignature Used to verify digital signatures. Key Usage KeyEncipherment Used to encrypt keys or data that will be decrypted by the private key. Enhanced Key Usage Client Authentication Used by client to prove their identity to server (mTLS) Enhanced Key Usage Server Authentication Used by servers to prove their identity to clients (https)
Note that if your DeMeter installation is not standard (high availability...), some additional requirements may apply to the certificate - reach out to your local Desoutter contact or the Remote Software Support Team if you need any additional details on the subject.
RavenDB supports the following protocol to secure communication:
- TLS 1.2.
- TLS 1.3.
Can I use the same certificate to secure DeMeter and RavenDB ? The answer depends on the type of DeMeter installation you are running:
- Standard installation: in a standard installation, DeMeter and RavenDB are installed on the same server. Therefore, you can use the same certificate to access both DeMeter and RavenDB.
- High Availability installation: DeMeter and RavenDB are installed on different servers. The direct consequence is that DeMeter and RavenDB require a different set of certificates.
2 - Securing RavenDB access for DeMeter
2.1 - Overview
The procedure described in the next sections can be used after installing DeMeter.
Why secure RavenDB access ? Securing RavenDB ensures that only DeMeter and permitted users can access RavenDB data. This provides an additional level of privacy and security for your data.
Note that access to RavenDB is not possible remotely by default: only a local access is possible i.e. from the server running DeMeter.
How can RavenDB be secured ? RavenDB lets you implement mutual TLS - this specifically means that:
- A Server certificate can be loaded to RavenDB.
- A client certificate can then be generated via RavenDB. This certificate is based on the Server certificate.
The client certificate is mandatory to be allowed to access RavenDB.
There are therefore three stages to secure RavenDB:
- Customise RavenDB to use a dedicated Server certificate.
- Generate a Client Certificate via RavenDB.
- Configure DeMeter to securely connect to RavenDB using the certificate previously generated.
2.2 - Securing RavenDB
First, copy the certificate you were provided on your server.
Install the certificate to your Windows Server certificate store:
- Double click on the certificate: the Certificate Import Wizard opens.
- Choose as a Store Location the Current User - click Next.
- Confirm the file you wish to import then click Next.
- Fill in the certificate password then click Next.
- Select where you wish to store the certificate then click Next.
- Click Finish in the final window that opens.
The certificate will be available in you server Certificate Store.
Why do I need to import the certificate ? The certificate is going to be used both to secure RavenDB then access it from the server.
The second step is to modify RavenDB configuration to secure its access. To that end:
- Open the Services window then stop DeMeter service first then RavenDB / DeMeterDB service.
- Make a backup of RavenDB configuration file in C:\ProgramData\Desoutter\DeMeterDB\config\settings.json.
- Open RavenDB configuration file in C:\ProgramData\Desoutter\DeMeterDB\config\settings.json - the default setting should look like:
{ "DataDir": "C:\\ProgramData\\Desoutter\\DeMeterDB", "License.Eula.Accepted": "true", "Setup.Mode": "Unsecured", "Security.UnsecuredAccessAllowed": "PublicNetwork", "ServerUrl": "http://127.0.0.1:8666", "ServerUrl.Tcp": "tcp://127.0.0.1:38666", "Logs.Path":"C:\\ProgramData\\Desoutter\\DeMeterDB\\logs", }Note: these settings ensure that RavenDB is only accessible from the server running DeMeter.
- Modify the configuration file to include the secured settings:
{ "License.Eula.Accepted": true, "Logs.Path":"C:\\ProgramData\\Desoutter\\DeMeterDB\\logs", "Setup.Mode": "Secured", "Security.UnsecuredAccessAllowed": "None", "ServerUrl": "https://Specify the Internal Ip Address:Specify the secured port", "ServerUrl.Tcp": "tcp://Specify the Internal Ip Address:Specifify the port to use", "PublicServerUrl": "https://Specify the machine Common Name:Specify the secured port", "DataDir": "C:\\ProgramData\\Desoutter\\DeMeterDB", "Security.Certificate": { "Path": "Fill in the path to your certificate", "Password": "Fill In your certificate password", "Type": "pfx" }, "HttpsPort": Specify the secured port you wish to use }Save the file.
- Start the RavenDB / DeMeterDB service.
Note: look into a possible misconfiguration in the file if RavenDB does not start at this stage.
The next step in the procedure is to test whether the communication is now properly secured. To that end, open your favourite web browser on the server then:
- Fill in the connection URL, i.e. the Server URL parameter setup in RavenDB configuration file.
- RavenDB will request you to select a certificate to connect.
Select the certificate you have saved in Windows Certificate Store then click OK.
Notes:
- If an error message is raised while trying to connect to RavenDB or you are not prompted to select a certificate, check the Configuration File.
- If the server certificate you tried to import as a first step to the procedure is not available in the list to choose from, try importing it again.
You can check that the certificate is properly loaded by resting the mouse pointer on the Lock Icon from the RavenDB Studio - a tool tip provides you with additional certificate details.
2.3 - Configuring DeMeter to access a secured RavenDB
The next step is to configure DeMeter to access RavenDB using a dedicated Client Certificate.
To access the client certificate generator:
- Use your favourite browser to open RavenDB studio.
- Click the Lock Icon to open the Certificates menu - the Server Certificate loaded at the previous step must be listed.
- Expand the Client Certificate drop down menu then click Generate Client Certificate.
The Generate client certificate panel appears.
The client certificate panel lets you define the following parameters:
- The certificate name.
- The Database Security Clearance. There are three levels:
- User: the most restricted security clearance. It is possible to restrict the access to a single database and choose the type of operations the user is permitted to do.
- Operator: user with this specific security clearance can access all databases in RavenDB. User can also Read, Write and performing other administrative tasks. He can not, however, perform any operations related to Node Clustering when using the High Availability feature from DeMeter, nor replace the Server Certificates or access Monitoring Data via SNMP OIDs.
- Admin: user has full administrative permissions on the RavenDB server.
For DeMeter, use the Admin level permissions. - The certificate passphrase: this password is used to secure the Client Certificate.
- Expiration date.
- Whether to use Two Factor Authentication: this option must be left unchecked for DeMeter Client Certificate.
Fill in the various parameters then click Generate.
A ZIP package is generated with the client certificate.
Move the ZIP Package to a folder of your choosing then
The last step in the process is to edit DeMeter configuration file and setup the Secured Connection to RavenDB:
- If you have not customised DeMeter configuration yet, copy C:\Program Files\Desoutter\DeMeter\appsettings.json configuration file to C:\ProgramData\Desoutter\DeMeter\API.
- Open C:\ProgramData\Desoutter\DeMeter\API\appsettings.json file then edit the database settings parameters - default connection details are setup as below:
"DeMeterDB": { "NodeURLs": [ "http://localhost:8666" ], "Database": "DeMeter", "ReplicationFactor": null // null or 0 means "replicate database on all nodes" },In order to secure the connection, edit the file with the below settings:
"DeMeterDB": { "NodeURLs": [ "RavenDB specified PublicServerURL" ], "Database": "DeMeter", "CertificatePath": "Path To Raven DB Client Certificate", "CertificatePassword": "Client Certificate Password", "ReplicationFactor": null },- NodeURLs: it must match the public Server URL parameter setup for RavenDB.
- Certificate Path: path where the ZIP file has been copied to and uncompressed.
- CertificatePassword: client certificate password set while creating it.
Save the file then start DeMeter service.
Open a web browser then connect to DeMeter - There must be no connection error reported to RavenDB.